Cisco ISE Deployment

Posted on 2014-09-17
Last Modified: 2015-09-23
Cisco ISE Deployment for NAC solution.
I would like to understand how this can be deployed for 2 Data center.
Data center 1 will be the primary & the Data center 2 will be the secondary.
All my sites will be getting connected to both of my Primary & Backup DC.
For my NAC solution I need to install the necessary Cisco ISE components in my both Production & Backup DC.
So in this case would like to understand how the fail over & the redundancy works for the Cisco ISE between the DC for my NAC solution.

If any one has any details or documents kindly share.
Question by:SrikantRajeev
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
LVL 64

Expert Comment

ID: 40329399
Some good references

Setting Up Cisco ISE in a Distributed Environment

Cisco TrustSec How-To Guide: ISE Deployment Types and Guidelines
In midsize to large enterprise deployments, ISE functions can be divided into several dedicated service nodes called “personas.” E.g. “Policy Administration Node (PAN)”,  “Policy Service Node (PSN)”,  “Monitoring Node (MNT)” and “Inline Posture Node (IPN)”. The main goal of dividing into dedicated service nodes is to distribute the load and traffic caused by authentication services, and to avoid points of failure by centralizing service in one appliance.

Check out
- Basic 2-Node (Redundant) Deployment: Up to 2,000 Endpoints. (SMB) When ISE appliances form redundancy, you can configure them to serve as primary and secondary nodes for administration and monitoring services. Having a single primary administration node and multiple secondary nodes is sometime referred as an ISE distributed deployment.

- Distributed Deployment: 2,000 to 10,000 Endpoints. (detaching the PSN from the PAN or MNT s) In this type of distributed deployment, we recommend two sets of Cisco ISE nodes for admin and monitoring functions and up to five PSNs. If you have more than two PSNs in single location, you can cluster those PSNs behind a load-balancing device (such as a Cisco Application Control Engine) for better performance. Additionally, other network access devices (NADs), such as ones in the second campus network, can point to the headquarter PSN as a secondary RADIUS server for high-availability purposes.

- Distributed Deployment: Up to 100,000 Endpoints (Maximum). ( separated to dedicated appliances ). ISE supports up to two dedicated PANs and two dedicated MNTs. Each dedicated appliance can serve as primary and secondary node to maintain resiliency in case of service failure. When these nodes are separated on dedicated appliances, the number of supported PSNs also increases. With 2x PANs and 2x MNTs, ISE supports up to 40 PSNs, supporting 100,000 endpoints concurrently.  If your company has a single data center, primary and secondary PANs and MNTs can be connected in different segments. With multiple data centers, it is more common to separate those personas in each data center location for disaster recovery (DR) purposes. Of course, the personas communicate with each other to synchronize endpoint data, session information and state, and configuration changes. With distributed personas, it is important to understand the types of communication between nodes to prevent a node from going out of sync.

A distributed deployment design needs to support all the required communication protocols between personas. For instance, PAN and PSN communicate to replicate and synchronize policy and configurations. Those two appliances use HTTPS (TCP/443) and Oracle DB Listener and AQ (TCP/1521) to perform replication and synchronization. ICMP is also used to perform a heartbeat between the PAN and PSN
LVL 46

Expert Comment

by:Craig Beck
ID: 40329738
Simply put, failover just happens.  You list both ISE boxes in the NAC client if they're running the PSN persona.

Author Comment

ID: 40332021
For this from the switch perspective should i configure both the ISE IP Address as active standby.
So in case if my primary site is down will it point to the secondary site IP Address.
Is it recommended to have the redundancy at local site or is it sufficient to have redundancy at site level across 2 DC.
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

LVL 46

Expert Comment

by:Craig Beck
ID: 40332245
Yes, configure both on the switch, but remember to include both in any ACLs you have configured.

Redundancy scenarios depend on how your network is designed and how much redundancy you want.  It's quite common for ISE servers to be distributed across L3 boundaries in separate DCs for example.
LVL 64

Expert Comment

ID: 40332413
Agree with Craigbeck, that is the normal for HA. And clustering with heartbeat is the normal as well. Even applicable during upgrade of switches to ensure alternate route are always make available.

Also at least one node in your distributed setup should assume the Monitoring persona. We recommend that you not have the Monitoring and Policy Service personas enabled on the same Cisco ISE node. You may want to consider the node be dedicated solely to monitoring for optimum performance. Others for redundancy
a) there must be at least one Monitoring ISE node in a distributed deployment. At the time of configuring your primary Administration ISE node, you must enable the Monitoring persona. After you have registered a secondary Monitoring ISE node in your deployment, you can edit the primary Administration ISE node and disable the Monitoring persona, if required.
b) When you register an ISE node as a secondary node, Cisco ISE immediately creates a database link from the primary to the secondary node and begins the process of replication. Replication is the process of sharing ISE configuration data from the primary to the secondary nodes. Replication ensures consistency among the configuration data present in all the ISE nodes that are part of your deployment.

If I may extract below for info
Guidelines for Setting Up a Distributed Deployment
Read the following statements carefully before you set up Cisco ISE in a distributed environment:
•There are two types of nodes in a Cisco ISE distributed deployment: the ISE node and the Inline Posture node. An ISE node can assume the Administration, Policy Service, and Monitoring personas at the same time. An ISE node can be a primary, secondary, or standalone node.

•The Administration, Policy Service, and Monitoring personas will be enabled by default in a standalone ISE node.

•You must first configure a primary Administration ISE node and then register secondary nodes to set up a distributed deployment.

•There can be only one primary ISE node in a distributed deployment and it must assume the Administration persona. You can have a maximum of two ISE nodes that assume the Administration persona, one being your primary and the other a secondary node.

•All Cisco ISE system-related configuration and configuration related to functionality should be done only on the primary Administration ISE node. The configuration changes that you perform on the primary Administration ISE node is replicated to all the secondary nodes in your deployment.

•When the primary Administration ISE node goes down, you must log into the user interface of the secondary Administration ISE node and make it the primary node.

•The Inline Posture node requires a dedicated node. No other persona or service can run on a node that is designated as an Inline Posture node.

•A properly configured Domain Name System (DNS) server is required for a distributed deployment to work correctly. You must enter the IP addresses and fully qualified domain names (FQDNs) of the ISE nodes that are part of your distributed deployment in the DNS server.

•If you want to uninstall Cisco ISE from a secondary node, you must first deregister it from the primary Administration ISE node. You can then reimage the standalone node and reregister it with the primary Administration ISE node.

Author Comment

ID: 40343371
Does ISE supports for the 802.1x MAC authentication for the PC's which are connecting to the Wired & Wireless network.
I want the PC's to authenticated based on their MAC Address using the ISE.
Let me know if this is possible.
LVL 64

Expert Comment

ID: 40343609
My understanding it is possible using MAC via the MAB (MAC Authentication Bypass)
If a device (endpoint) does not support 802.1x, MAC address authentication can be used, based on the MAC address of the device. Offcourse, it is less secure because of MAC address spoofing. Hashing and encryption is not really needed because username and password are both the MAC address. EAP-MD5 or PAP is not always necessary.

the normal MAB scheme uses 4 phases during operations of the endpoint:
Phase 1: initation, this will timeout because there is no 802.1x response
Phase 2: MAC learning, the NAD will check the MAC address with ISE after the endpoint sends the first packet
Phase 3: Authorization, ISE can push some DACL or other authorization objects like VLANs
Phase 4: Accounting
LVL 46

Expert Comment

by:Craig Beck
ID: 40343983
I just answered your other question, but I'll repeat here...

MAB is available in ISE.  There is already a policy in ISE to do wireless and wired MAB so you just configure your switches for 802.1x and MAB then add the MAC addresses to the internal endpoints database.
LVL 64

Accepted Solution

btan earned 500 total points
ID: 40344101
To add if you catch these extracted steps for ref
Step 8      Enable various authentication method options:

! Enable re-authentication
authentication periodic
! Enable re-authentication via RADIUS Session-Timeout
authentication timer reauthenticate server
authentication event fail action next-method
authentication event server dead action authorize <VLAN_number>
authentication event server alive action reinitialize
! IOS Flex-Auth authentication should do 802.1X then MAB
authentication order dot1x mab
authentication priority dot1x mab
Step 9      Enable 802.1X port control on the switchport:

! Enables port-based authentication on the interface
authentication port-control auto
authentication violation restrict
Step 10      Enable MAC Authentication Bypass (MAB):

! Enable MAC Authentication Bypass (MAB)
Step 11      Enable 802.1X on the switchport

! Enables 802.1X authentication on the interface
dot1x pae authenticator
Step 12      Set the retransmit period to 10 seconds:

dot1x timeout tx-period 10

Author Comment

ID: 40363188
checking this out.

Author Closing Comment

ID: 40992213

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question